I was involved in ~1,500 users and it also was an amazing exercise in futility. The previous paragraph was on the money.
It really bit us hard when we had a virus infestation and the patch from Microsoft needed the user to have admin rights in order to fix the problem. -----Original Message----- From: McLaurin, Timothy [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2006 3:50 PM To: Jon R. Kibler; [email protected] Cc: Drew Simonis Subject: RE: Impact of removing administrative rights in an enterprise running XP I've done it for about 2,000 users and it was brutal. The technical aspects of it was bad but even worse were the political. People can't get used to the idea of not being able to do what they want when they want. Especially the executive types. And we still gave them admin accounts, they just had to use Run As... Support isn't all that easy too because we had no idea who had what, and what was essential for their job function. There are all kinds of stupid applications that call for admin rights and once they are taken away it doesn't work anymore. Filemon, Regmon, and SetACL were a staple during that time period. -----Original Message----- From: Jon R. Kibler [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2006 11:09 AM To: [email protected] Cc: Drew Simonis Subject: Re: Impact of removing administrative rights in an enterprise running XP Drew Simonis wrote: > Hello all, > I wonder if anyone on the list who might work for a good sized enterprise (10,000+ seats) has gone through the excercise of removing administrative rights from the user community? > > Aside from the effort to inventory all applications and ensure that they work with restricted permissions, I forsee that such an effort would likely require changes to the entire support model. Instead of relying on users to install their own software, it would need to be done for them. New hardware would require intevention, etc. > > If someone has completed this, was support a major new burden, or was it not as difficult as it might be? If it was, how much of a burden was it (+ desktop support headcount? +helpdesk calls?)? > > -Ds Drew, Have not done it in as large of an organization as you indicate, but have TRIED to do it in smaller organizations -- and ran into MANY brick walls. It is still a work-in-progress! Things are better, but we're not there yet by any stretch at any organization that I am working with. The primary issue is that A LOT of applications assume/require administrative privilege to work. In reality, you can probably get many/most to run with less than admin priv, but figuring out what is the minimum required is not an easy task. And don't expect the application vendor to be any help either! Trying to remove local admin priv is a trial-and-error process. A lot of apps will work most of the time, then one seldom-used feature breaks it. You would be surprised the apps that require privilege to run... many big name ones, such as the Intuit product line. There was a discussion on DShield a few months back on this topic, and several people named names of applications with privilege problems (but nothing close to scratching the surface!). Good luck. Oh, BTW, as you try this task, publishing a list of the required minimum privilege for each application would be a great help to everyone. I wanted to do that, but my clients all objected. Jon -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
